Stop SSH Brute Force Attack: Limit SSH Login Accounts
Since the whitebox's SSH, FTP and HTTP services are exposed to the internet, it received a large number of brute force login attempts. tail -100 /var/log/secure gave me a lot of warnings like below:
Jan 29 08:21:01 whitebox sshd[4414]: Failed password for nobody from 218.24.139.109 port 35958 ssh2
Jan 29 08:21:06 whitebox sshd[4417]: Invalid user patrick from 218.24.139.109
Jan 29 08:21:08 whitebox sshd[4417]: Failed password for invalid user patrick from 218.24.139.109 port 40135 ssh2
Jan 29 08:21:11 whitebox sshd[4419]: Invalid user patrick from 218.24.139.109
Jan 29 08:21:14 whitebox sshd[4419]: Failed password for invalid user patrick from 218.24.139.109 port 43318 ssh2
Jan 29 08:21:19 whitebox sshd[4422]: Failed password for root from 218.24.139.109 port 46797 ssh2
Jan 29 15:36:11 whitebox sshd[6282]: Did not receive identification string from 65.18.181.235
Jan 29 15:41:24 whitebox sshd[6303]: Failed password for root from 65.18.181.235 port 1150 ssh2
Jan 29 15:41:28 whitebox sshd[6305]: Failed password for root from 65.18.181.235 port 1654 ssh2
BTW, you really should take a look at your /var/log/messages and /var/log/secure, you will be surprised with the number of failed logins from nowhere.
As the first attemp to fight against brute force attacks, I would like to limit the accounts that could login through SSH. My practice is to create a hard to guess account id with a very strong password for SSH login only. Once get in, I may su as other users for some user specific work. Hopefully, this could reduce the chance of brute force break in.
( Read more for details... )
1. Edit file /etc/pam.d/sshd, add the following line as the first line:
auth required pam_listfile.so sense=allow item=user file=/etc/ssh/ssh_allow_users onerr=fail
2. Create a new file /etc/ssh/ssh_allow_users, in which put the user id that is allowed for SSH login. -- You may actually put multiple user ids in this file, each in a separate line, for example:
jihe
lucy
Edit 10/26/2007: My thanks to Eric Rideough for pointing out a typo on the filename above. I mis-typed the filename as ssl_allow_users in my previous post.
3. Do /sbin/service sshd restart. Test SSH login with allowed accounts above, SUCCESSFUL. Test SSH login with other system accounts not in the whitelist above, FAILED. ALL DONE.